-
Notifications
You must be signed in to change notification settings - Fork 41
Description
Hi Vegard,
I already outlined in another issue (#106 (comment)) that I'd like to contribute to the READMEs. One area where I'm lacking knowledge is sealed secrets, hence the f. 2 questions:
- Bootstrap: How do you create your sealed secrets initially? Please see some snippets I've gathered so far. Maybe you have some other commands handy -- maybe more elegant than my approach?
- Regarding proper usage: It looks like you prefer storing the secrets in VCS permanently. That helps when in the need for re-creating the cluster (may it be for trial-and-error start from scratch or in case of disaster recovery). I will prepare a PR for storing the openssl key+crt in a SOPS-proteced file. So one doesn't depend on storing the openssl key locally (without VCS or backup). I'm contemplating this approach for terragrunt, at least, because using local files (not stored in VCS) is more tricky. What do you think?
- How do you facilitate key rotation (mentioned in one of your blog articles)? As far as I understood the documentation, one could also create the K8S secrets first and then let the Controller generate/update the sealed secret upon. That would mean one could just assing a new ssl key to the controller and let K8S update all sealed secrets without the need to update the secrets
General approach
Do you create the sealed secret first which then creates a K8s secret or the other way round. Documentation for sealed secrets mentions both approaches. I'm using the generic pipeline approach based on kubeseal:
echo -n bar | kubectl create secret generic mysecret --dry-run=client --from-file=foo=/dev/stdin -o yaml | kubeseal --controller-namespace sealed-secrets -o yaml -n <namespace> --merge-into <existing or new sealed secrets>.yaml
CloudFlare API Token
I first created a local-managed CF tunnel and then piped it into kubectl-kubeseal chain:
cat ~/.cloudflared/<my-tunnel-id>.json | kubectl create secret generic tunnel-credentials --dry-run=client --from-file=credentials.json=/dev/stdin -o yaml | kubeseal --controller-namespace sealed-secrets -o yaml -n cloudflared --merge-into ~/src/vehagn-homelab/k8s/infra/network/cloudflared/tunnel-credentials.yaml
AdGuard
I just leveraged the users.yaml from another instance:
cat users.yaml | kubectl create secret generic users --dry-run=client --from-file=users.yaml=/dev/stdin -o yaml | kubeseal --controller-namespace sealed-secrets -o yaml -n dns --merge-into infra/network/dns/adguard/secret-users.yaml
Kind regards -- Sebastian